@classytic/arc 2.3.0 → 2.4.2

package/dist/permissions/index.mjs

@@ -1,579 +1,4 @@
-import { a as getTeamId, c as isElevated, l as isMember, n as PUBLIC_SCOPE } from "../types-Beqn1Un7.mjs";
-import { i as resolveEffectiveRoles, n as applyFieldWritePermissions, r as fields, t as applyFieldReadPermissions } from "../fields-CTd_CrKr.mjs";
-import { n as normalizeRoles, t as getUserRoles } from "../types-DelU6kln.mjs";
-import { t as MemoryCacheStore } from "../memory-B2v7KrCB.mjs";
-import { a as presets_exports, c as readOnly, i as ownerWithAdminBypass, n as authenticated, o as publicRead, r as fullPublic, s as publicReadAdminWrite, t as adminOnly } from "../presets-CeFtfDR8.mjs";
-import { randomUUID } from "node:crypto";
-
-//#region src/permissions/index.ts
-/**
-* Allow public access (no authentication required)
-*
-* @example
-* ```typescript
-* permissions: {
-*   list: allowPublic(),
-*   get: allowPublic(),
-* }
-* ```
-*/
-function allowPublic() {
-	const check = () => true;
-	check._isPublic = true;
-	return check;
-}
-/**
-* Require authentication (any authenticated user)
-*
-* @example
-* ```typescript
-* permissions: {
-*   create: requireAuth(),
-*   update: requireAuth(),
-* }
-* ```
-*/
-function requireAuth() {
-	const check = (ctx) => {
-		if (!ctx.user) return {
-			granted: false,
-			reason: "Authentication required"
-		};
-		return true;
-	};
-	return check;
-}
-/**
-* Require specific roles
-*
-* @param roles - Required roles (user needs at least one)
-* @param options - Optional bypass roles
-*
-* @example
-* ```typescript
-* permissions: {
-*   create: requireRoles(['admin', 'editor']),
-*   delete: requireRoles(['admin']),
-* }
-*
-* // With bypass roles
-* permissions: {
-*   update: requireRoles(['owner'], { bypassRoles: ['admin', 'superadmin'] }),
-* }
-* ```
-*/
-function requireRoles(roles, options) {
-	const check = (ctx) => {
-		if (!ctx.user) return {
-			granted: false,
-			reason: "Authentication required"
-		};
-		const userRoles = getUserRoles(ctx.user);
-		if (options?.bypassRoles?.some((r) => userRoles.includes(r))) return true;
-		if (roles.some((r) => userRoles.includes(r))) return true;
-		return {
-			granted: false,
-			reason: `Required roles: ${roles.join(", ")}`
-		};
-	};
-	check._roles = roles;
-	return check;
-}
-/**
-* Require resource ownership
-*
-* Returns filters to scope queries to user's owned resources.
-*
-* @param ownerField - Field containing owner ID (default: 'userId')
-* @param options - Optional bypass roles
-*
-* @example
-* ```typescript
-* permissions: {
-*   update: requireOwnership('userId'),
-*   delete: requireOwnership('createdBy', { bypassRoles: ['admin'] }),
-* }
-* ```
-*/
-function requireOwnership(ownerField = "userId", options) {
-	return (ctx) => {
-		if (!ctx.user) return {
-			granted: false,
-			reason: "Authentication required"
-		};
-		const userRoles = getUserRoles(ctx.user);
-		if (options?.bypassRoles?.some((r) => userRoles.includes(r))) return true;
-		const userId = ctx.user.id ?? ctx.user._id;
-		if (!userId) return {
-			granted: false,
-			reason: "User identity missing (no id or _id)"
-		};
-		return {
-			granted: true,
-			filters: { [ownerField]: userId }
-		};
-	};
-}
-/**
-* Combine multiple checks - ALL must pass (AND logic)
-*
-* @example
-* ```typescript
-* permissions: {
-*   update: allOf(
-*     requireAuth(),
-*     requireRoles(['editor']),
-*     requireOwnership('createdBy')
-*   ),
-* }
-* ```
-*/
-function allOf(...checks) {
-	return async (ctx) => {
-		let mergedFilters = {};
-		for (const check of checks) {
-			const result = await check(ctx);
-			const normalized = typeof result === "boolean" ? { granted: result } : result;
-			if (!normalized.granted) return normalized;
-			if (normalized.filters) mergedFilters = {
-				...mergedFilters,
-				...normalized.filters
-			};
-		}
-		return {
-			granted: true,
-			filters: Object.keys(mergedFilters).length > 0 ? mergedFilters : void 0
-		};
-	};
-}
-/**
-* Combine multiple checks - ANY must pass (OR logic)
-*
-* @example
-* ```typescript
-* permissions: {
-*   update: anyOf(
-*     requireRoles(['admin']),
-*     requireOwnership('createdBy')
-*   ),
-* }
-* ```
-*/
-function anyOf(...checks) {
-	return async (ctx) => {
-		const reasons = [];
-		for (const check of checks) {
-			const result = await check(ctx);
-			const normalized = typeof result === "boolean" ? { granted: result } : result;
-			if (normalized.granted) return normalized;
-			if (normalized.reason) reasons.push(normalized.reason);
-		}
-		return {
-			granted: false,
-			reason: reasons.join("; ")
-		};
-	};
-}
-/**
-* Deny all access
-*
-* @example
-* ```typescript
-* permissions: {
-*   delete: denyAll('Deletion not allowed'),
-* }
-* ```
-*/
-function denyAll(reason = "Access denied") {
-	return () => ({
-		granted: false,
-		reason
-	});
-}
-/**
-* Dynamic permission based on context
-*
-* @example
-* ```typescript
-* permissions: {
-*   update: when((ctx) => ctx.data?.status === 'draft'),
-* }
-* ```
-*/
-function when(condition) {
-	return async (ctx) => {
-		const result = await condition(ctx);
-		return {
-			granted: result,
-			reason: result ? void 0 : "Condition not met"
-		};
-	};
-}
-/** Read request.scope safely */
-function getScope(request) {
-	return request.scope ?? PUBLIC_SCOPE;
-}
-/**
-* Require membership in the active organization.
-* User must be authenticated AND have an active org (member or elevated scope).
-*
-* Reads `request.scope` set by auth adapters.
-*
-* @example
-* ```typescript
-* permissions: {
-*   list: requireOrgMembership(),
-*   get: requireOrgMembership(),
-* }
-* ```
-*/
-function requireOrgMembership() {
-	const check = (ctx) => {
-		if (!ctx.user) return {
-			granted: false,
-			reason: "Authentication required"
-		};
-		const scope = getScope(ctx.request);
-		if (isElevated(scope)) return true;
-		if (isMember(scope)) return true;
-		return {
-			granted: false,
-			reason: "Organization membership required"
-		};
-	};
-	check._orgPermission = "membership";
-	return check;
-}
-/**
-* Require specific org-level roles.
-* Reads `request.scope.orgRoles` (set by auth adapters).
-* Elevated scope always passes (platform admin bypass).
-*
-* @param roles - Required org roles (user needs at least one)
-*
-* @example
-* ```typescript
-* permissions: {
-*   create: requireOrgRole('admin', 'owner'),
-*   delete: requireOrgRole('owner'),
-* }
-* ```
-*/
-function requireOrgRole(...args) {
-	const roles = Array.isArray(args[0]) ? args[0] : args;
-	const check = (ctx) => {
-		if (!ctx.user) return {
-			granted: false,
-			reason: "Authentication required"
-		};
-		const scope = getScope(ctx.request);
-		if (isElevated(scope)) return true;
-		if (!isMember(scope)) return {
-			granted: false,
-			reason: "Organization membership required"
-		};
-		if (roles.some((r) => scope.orgRoles.includes(r))) return true;
-		return {
-			granted: false,
-			reason: `Required org roles: ${roles.join(", ")}`
-		};
-	};
-	check._orgRoles = roles;
-	return check;
-}
-/**
-* Create a scoped permission system for resource-action patterns.
-* Maps org roles to fine-grained permissions without external API calls.
-*
-* @example
-* ```typescript
-* const perms = createOrgPermissions({
-*   statements: {
-*     product: ['create', 'update', 'delete'],
-*     order: ['create', 'approve'],
-*   },
-*   roles: {
-*     owner: { product: ['create', 'update', 'delete'], order: ['create', 'approve'] },
-*     admin: { product: ['create', 'update'], order: ['create'] },
-*     member: { product: [], order: [] },
-*   },
-* });
-*
-* defineResource({
-*   permissions: {
-*     create: perms.can({ product: ['create'] }),
-*     delete: perms.can({ product: ['delete'] }),
-*   }
-* });
-* ```
-*/
-function createOrgPermissions(config) {
-	const { roles: roleMap } = config;
-	function hasPermissions(orgRoles, required) {
-		for (const [resource, actions] of Object.entries(required)) for (const action of actions) if (!orgRoles.some((role) => {
-			return (roleMap[role]?.[resource])?.includes(action);
-		})) return false;
-		return true;
-	}
-	return {
-		can(permissions) {
-			return (ctx) => {
-				if (!ctx.user) return {
-					granted: false,
-					reason: "Authentication required"
-				};
-				const scope = getScope(ctx.request);
-				if (isElevated(scope)) return true;
-				if (!isMember(scope)) return {
-					granted: false,
-					reason: "Organization membership required"
-				};
-				if (hasPermissions(scope.orgRoles, permissions)) return true;
-				return {
-					granted: false,
-					reason: `Missing permissions: ${Object.entries(permissions).map(([r, a]) => `${r}:[${a.join(",")}]`).join(", ")}`
-				};
-			};
-		},
-		requireRole(...roles) {
-			return requireOrgRole(roles);
-		},
-		requireMembership() {
-			return requireOrgMembership();
-		},
-		requireTeamMembership() {
-			return requireTeamMembership();
-		}
-	};
-}
-/**
-* Create a dynamic role-based permission matrix.
-*
-* Use this when role/action mappings are managed outside code
-* (e.g., admin UI matrix, DB-stored ACLs, remote policy service).
-*
-* Supports:
-* - org role union (any assigned org role can grant)
-* - global bypass roles
-* - wildcard resource/action (`*`)
-* - optional in-memory cache
-*/
-function createDynamicPermissionMatrix(config) {
-	const logger = config.logger ?? console;
-	const legacyTtlMs = config.cache?.ttlMs ?? 0;
-	const hasExternalStore = !!config.cacheStore;
-	const cacheTtlMs = legacyTtlMs > 0 ? legacyTtlMs : hasExternalStore ? 3e5 : 0;
-	const internalStore = !config.cacheStore && cacheTtlMs > 0 ? new MemoryCacheStore({
-		defaultTtlMs: cacheTtlMs,
-		maxEntries: config.cache?.maxEntries ?? 1e3
-	}) : void 0;
-	const cacheStore = config.cacheStore ?? internalStore;
-	const trackedKeys = /* @__PURE__ */ new Set();
-	const nodeId = randomUUID().slice(0, 8);
-	const DEFAULT_EVENT_TYPE = "arc.permissions.invalidated";
-	let eventBridge = null;
-	/** Clear local cache for an org without publishing events (avoids infinite loops). */
-	async function localInvalidateByOrg(orgId) {
-		if (!cacheStore) return;
-		const prefix = `${orgId}::`;
-		const toDelete = [];
-		for (const key of trackedKeys) if (key.startsWith(prefix)) toDelete.push(key);
-		for (const key of toDelete) try {
-			await cacheStore.delete(key);
-			trackedKeys.delete(key);
-		} catch (error) {
-			logger.warn(`[DynamicPermissionMatrix] invalidateByOrg delete failed for '${key}': ${error instanceof Error ? error.message : String(error)}`);
-		}
-	}
-	function isActionAllowed(actions, action) {
-		if (!actions || actions.length === 0) return false;
-		return actions.includes("*") || actions.includes(action);
-	}
-	function roleAllows(matrix, role, resource, action) {
-		const rolePermissions = matrix[role];
-		if (!rolePermissions) return false;
-		const resourceActions = rolePermissions[resource];
-		const wildcardResourceActions = rolePermissions["*"];
-		return isActionAllowed(resourceActions, action) || isActionAllowed(wildcardResourceActions, action);
-	}
-	function buildDefaultCacheKey(ctx, orgId, orgRoles) {
-		const userId = String(ctx.user?.id ?? ctx.user?._id ?? "anon");
-		const roles = (orgRoles ?? []).slice().sort().join(",");
-		return `${orgId ?? "no-org"}::${roles}::${userId}`;
-	}
-	async function resolveMatrix(ctx, orgId, orgRoles) {
-		if (!cacheStore) return config.resolveRolePermissions(ctx);
-		const cacheKey = config.cache?.key?.(ctx) ?? buildDefaultCacheKey(ctx, orgId, orgRoles);
-		if (!cacheKey) return config.resolveRolePermissions(ctx);
-		try {
-			const hit = await cacheStore.get(cacheKey);
-			if (hit) return hit;
-		} catch (error) {
-			logger.warn(`[DynamicPermissionMatrix] Cache get failed for '${cacheKey}': ${error instanceof Error ? error.message : String(error)}`);
-		}
-		const value = await config.resolveRolePermissions(ctx);
-		try {
-			await cacheStore.set(cacheKey, value, { ttlMs: cacheTtlMs });
-			trackedKeys.add(cacheKey);
-			const maxTracked = config.cache?.maxEntries ?? 1e4;
-			if (trackedKeys.size > maxTracked) {
-				const overflow = trackedKeys.size - maxTracked;
-				const iter = trackedKeys.values();
-				for (let i = 0; i < overflow; i++) {
-					const oldest = iter.next().value;
-					if (oldest) trackedKeys.delete(oldest);
-				}
-			}
-		} catch (error) {
-			logger.warn(`[DynamicPermissionMatrix] Cache set failed for '${cacheKey}': ${error instanceof Error ? error.message : String(error)}`);
-		}
-		return value;
-	}
-	function can(required) {
-		return async (ctx) => {
-			if (!ctx.user) return {
-				granted: false,
-				reason: "Authentication required"
-			};
-			const scope = getScope(ctx.request);
-			if (isElevated(scope)) return true;
-			if (!isMember(scope)) return {
-				granted: false,
-				reason: "Organization membership required"
-			};
-			const orgRoles = scope.orgRoles;
-			if (orgRoles.length === 0) return {
-				granted: false,
-				reason: "Not a member of this organization"
-			};
-			let matrix;
-			try {
-				matrix = await resolveMatrix(ctx, scope.organizationId, orgRoles);
-			} catch (error) {
-				return {
-					granted: false,
-					reason: `Permission matrix resolution failed: ${error instanceof Error ? error.message : String(error)}`
-				};
-			}
-			for (const [resource, actions] of Object.entries(required)) for (const action of actions) if (!orgRoles.some((role) => roleAllows(matrix, role, resource, action))) return {
-				granted: false,
-				reason: `Missing permission: ${resource}:${action}`
-			};
-			return true;
-		};
-	}
-	return {
-		can,
-		canAction(resource, action) {
-			return can({ [resource]: [action] });
-		},
-		requireRole(...roles) {
-			return requireOrgRole(roles);
-		},
-		requireMembership() {
-			return requireOrgMembership();
-		},
-		requireTeamMembership() {
-			return requireTeamMembership();
-		},
-		async invalidateByOrg(orgId) {
-			await localInvalidateByOrg(orgId);
-			if (eventBridge) try {
-				await eventBridge.publish(eventBridge.eventType, {
-					orgId,
-					nodeId
-				});
-			} catch (error) {
-				logger.warn(`[DynamicPermissionMatrix] Failed to publish invalidation event for org '${orgId}': ${error instanceof Error ? error.message : String(error)}`);
-			}
-		},
-		async clearCache() {
-			if (!cacheStore) return;
-			if (cacheStore.clear) try {
-				await cacheStore.clear();
-				trackedKeys.clear();
-				return;
-			} catch (error) {
-				logger.warn(`[DynamicPermissionMatrix] cacheStore.clear failed: ${error instanceof Error ? error.message : String(error)}`);
-			}
-			for (const key of trackedKeys) try {
-				await cacheStore.delete(key);
-			} catch (error) {
-				logger.warn(`[DynamicPermissionMatrix] Cache delete failed for '${key}': ${error instanceof Error ? error.message : String(error)}`);
-			}
-			trackedKeys.clear();
-		},
-		async connectEvents(events, options) {
-			if (eventBridge) await this.disconnectEvents();
-			const eventType = options?.eventType ?? DEFAULT_EVENT_TYPE;
-			const unsubscribeFn = await events.subscribe(eventType, async (event) => {
-				const payload = event.payload;
-				if (!payload?.orgId) return;
-				if (payload.nodeId === nodeId) return;
-				await localInvalidateByOrg(payload.orgId);
-				if (options?.onRemoteInvalidation) try {
-					await options.onRemoteInvalidation(payload.orgId);
-				} catch (error) {
-					logger.warn(`[DynamicPermissionMatrix] onRemoteInvalidation callback failed for org '${payload.orgId}': ${error instanceof Error ? error.message : String(error)}`);
-				}
-			});
-			eventBridge = {
-				publish: events.publish,
-				unsubscribe: typeof unsubscribeFn === "function" ? unsubscribeFn : null,
-				eventType,
-				onRemoteInvalidation: options?.onRemoteInvalidation
-			};
-		},
-		async disconnectEvents() {
-			if (!eventBridge) return;
-			try {
-				eventBridge.unsubscribe?.();
-			} catch (error) {
-				logger.warn(`[DynamicPermissionMatrix] disconnectEvents unsubscribe failed: ${error instanceof Error ? error.message : String(error)}`);
-			}
-			eventBridge = null;
-		},
-		get eventsConnected() {
-			return eventBridge !== null;
-		}
-	};
-}
-/**
-* Require membership in the active team.
-* User must be authenticated, a member of the active org, AND have an active team.
-*
-* Better Auth teams are flat member groups (no team-level roles).
-* Reads `request.scope.teamId` set by the Better Auth adapter.
-*
-* @example
-* ```typescript
-* permissions: {
-*   list: requireTeamMembership(),
-*   create: requireTeamMembership(),
-* }
-* ```
-*/
-function requireTeamMembership() {
-	const check = (ctx) => {
-		if (!ctx.user) return {
-			granted: false,
-			reason: "Authentication required"
-		};
-		const scope = getScope(ctx.request);
-		if (isElevated(scope)) return true;
-		if (!isMember(scope)) return {
-			granted: false,
-			reason: "Organization membership required"
-		};
-		if (!getTeamId(scope)) return {
-			granted: false,
-			reason: "No active team"
-		};
-		return true;
-	};
-	check._teamPermission = "membership";
-	return check;
-}
-
-//#endregion
-export { adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, authenticated, createDynamicPermissionMatrix, createOrgPermissions, denyAll, fields, fullPublic, getUserRoles, normalizeRoles, ownerWithAdminBypass, presets_exports as permissions, publicRead, publicReadAdminWrite, readOnly, requireAuth, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireTeamMembership, resolveEffectiveRoles, when };
+import { i as resolveEffectiveRoles, n as applyFieldWritePermissions, r as fields, t as applyFieldReadPermissions } from "../fields-ipsbIRPK.mjs";
+import { n as normalizeRoles, t as getUserRoles } from "../types-ZUu_h0jp.mjs";
+import { S as createRoleHierarchy, _ as ownerWithAdminBypass, a as createOrgPermissions, b as publicReadAdminWrite, c as requireOrgMembership, d as requireRoles, f as requireTeamMembership, g as fullPublic, h as authenticated, i as createDynamicPermissionMatrix, l as requireOrgRole, m as adminOnly, n as allowPublic, o as denyAll, p as when, r as anyOf, s as requireAuth, t as allOf, u as requireOwnership, v as presets_exports, x as readOnly, y as publicRead } from "../permissions-CA5zg0yK.mjs";
+export { adminOnly, allOf, allowPublic, anyOf, applyFieldReadPermissions, applyFieldWritePermissions, authenticated, createDynamicPermissionMatrix, createOrgPermissions, createRoleHierarchy, denyAll, fields, fullPublic, getUserRoles, normalizeRoles, ownerWithAdminBypass, presets_exports as permissions, publicRead, publicReadAdminWrite, readOnly, requireAuth, requireOrgMembership, requireOrgRole, requireOwnership, requireRoles, requireTeamMembership, resolveEffectiveRoles, when };